From owner-svn-src-all@freebsd.org  Mon Nov 19 15:31:55 2018
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7DA861106B44;
 Mon, 19 Nov 2018 15:31:55 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 24CE57A606;
 Mon, 19 Nov 2018 15:31:55 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 05F9923F1C;
 Mon, 19 Nov 2018 15:31:55 +0000 (UTC)
 (envelope-from tijl@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id wAJFVsV3002782;
 Mon, 19 Nov 2018 15:31:54 GMT (envelope-from tijl@FreeBSD.org)
Received: (from tijl@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id wAJFVsb2002781;
 Mon, 19 Nov 2018 15:31:54 GMT (envelope-from tijl@FreeBSD.org)
Message-Id: <201811191531.wAJFVsb2002781@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tijl set sender to
 tijl@FreeBSD.org using -f
From: Tijl Coosemans <tijl@FreeBSD.org>
Date: Mon, 19 Nov 2018 15:31:54 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r340631 - head/sys/compat/linux
X-SVN-Group: head
X-SVN-Commit-Author: tijl
X-SVN-Commit-Paths: head/sys/compat/linux
X-SVN-Commit-Revision: 340631
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 24CE57A606
X-Spamd-Result: default: False [0.49 / 15.00];
 local_wl_from(0.00)[FreeBSD.org];
 NEURAL_SPAM_MEDIUM(0.03)[0.027,0];
 ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US];
 NEURAL_SPAM_SHORT(0.47)[0.467,0]
X-Rspamd-Server: mx1.freebsd.org
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 15:31:55 -0000

Author: tijl
Date: Mon Nov 19 15:31:54 2018
New Revision: 340631
URL: https://svnweb.freebsd.org/changeset/base/340631

Log:
  Do proper copyin of control message data in the Linux sendmsg syscall.
  
  Instead of calling m_append with a user address, allocate an mbuf cluster
  and copy data into it using copyin.  For the SCM_CREDS case, instead of
  zeroing a stack variable and appending that to the mbuf, zero part of the
  mbuf cluster directly.  One mbuf cluster is also the size limit used by
  the FreeBSD sendmsg syscall (uipc_syscalls.c:sockargs()).
  
  PR:		217901
  Reviewed by:	kib
  MFC after:	3 days

Modified:
  head/sys/compat/linux/linux_socket.c

Modified: head/sys/compat/linux/linux_socket.c
==============================================================================
--- head/sys/compat/linux/linux_socket.c	Mon Nov 19 15:29:40 2018	(r340630)
+++ head/sys/compat/linux/linux_socket.c	Mon Nov 19 15:31:54 2018	(r340631)
@@ -1085,7 +1085,6 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
     l_uint flags)
 {
 	struct cmsghdr *cmsg;
-	struct cmsgcred cmcred;
 	struct mbuf *control;
 	struct msghdr msg;
 	struct l_cmsghdr linux_cmsg;
@@ -1096,6 +1095,7 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 	struct sockaddr *sa;
 	sa_family_t sa_family;
 	void *data;
+	l_size_t len;
 	int error;
 
 	error = copyin(msghdr, &linux_msg, sizeof(linux_msg));
@@ -1126,7 +1126,6 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 		return (error);
 
 	control = NULL;
-	cmsg = NULL;
 
 	if ((ptr_cmsg = LINUX_CMSG_FIRSTHDR(&linux_msg)) != NULL) {
 		error = kern_getsockname(td, s, &sa, &datalen);
@@ -1136,8 +1135,10 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 		free(sa, M_SONAME);
 
 		error = ENOBUFS;
-		cmsg = malloc(CMSG_HDRSZ, M_LINUX, M_WAITOK|M_ZERO);
 		control = m_get(M_WAITOK, MT_CONTROL);
+		MCLGET(control, M_WAITOK);
+		data = mtod(control, void *);
+		datalen = 0;
 
 		do {
 			error = copyin(ptr_cmsg, &linux_cmsg,
@@ -1149,10 +1150,14 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 			if (linux_cmsg.cmsg_len < sizeof(struct l_cmsghdr))
 				goto bad;
 
+			if (datalen + CMSG_HDRSZ > MCLBYTES)
+				goto bad;
+
 			/*
 			 * Now we support only SCM_RIGHTS and SCM_CRED,
 			 * so return EINVAL in any other cmsg_type
 			 */
+			cmsg = data;
 			cmsg->cmsg_type =
 			    linux_to_bsd_cmsg_type(linux_cmsg.cmsg_type);
 			cmsg->cmsg_level =
@@ -1170,35 +1175,34 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 			if (sa_family != AF_UNIX)
 				continue;
 
-			data = LINUX_CMSG_DATA(ptr_cmsg);
-			datalen = linux_cmsg.cmsg_len - L_CMSG_HDRSZ;
+			if (cmsg->cmsg_type == SCM_CREDS) {
+				len = sizeof(struct cmsgcred);
+				if (datalen + CMSG_SPACE(len) > MCLBYTES)
+					goto bad;
 
-			switch (cmsg->cmsg_type)
-			{
-			case SCM_RIGHTS:
-				break;
-
-			case SCM_CREDS:
-				data = &cmcred;
-				datalen = sizeof(cmcred);
-
 				/*
 				 * The lower levels will fill in the structure
 				 */
-				bzero(data, datalen);
-				break;
+				memset(CMSG_DATA(data), 0, len);
+			} else {
+				len = linux_cmsg.cmsg_len - L_CMSG_HDRSZ;
+				if (datalen + CMSG_SPACE(len) < datalen ||
+				    datalen + CMSG_SPACE(len) > MCLBYTES)
+					goto bad;
+
+				error = copyin(LINUX_CMSG_DATA(ptr_cmsg),
+				    CMSG_DATA(data), len);
+				if (error != 0)
+					goto bad;
 			}
 
-			cmsg->cmsg_len = CMSG_LEN(datalen);
-
-			error = ENOBUFS;
-			if (!m_append(control, CMSG_HDRSZ, (c_caddr_t)cmsg))
-				goto bad;
-			if (!m_append(control, datalen, (c_caddr_t)data))
-				goto bad;
+			cmsg->cmsg_len = CMSG_LEN(len);
+			data = (char *)data + CMSG_SPACE(len);
+			datalen += CMSG_SPACE(len);
 		} while ((ptr_cmsg = LINUX_CMSG_NXTHDR(&linux_msg, ptr_cmsg)));
 
-		if (m_length(control, NULL) == 0) {
+		control->m_len = datalen;
+		if (datalen == 0) {
 			m_freem(control);
 			control = NULL;
 		}
@@ -1212,8 +1216,6 @@ linux_sendmsg_common(struct thread *td, l_int s, struc
 bad:
 	m_freem(control);
 	free(iov, M_IOV);
-	if (cmsg)
-		free(cmsg, M_LINUX);
 	return (error);
 }